You are not logged in.

#1 2009-10-31 19:26:00

fernando.vs
Member
Registered: 2009-10-31
Posts: 2

tcpdump output format issue

Hi,

im working with tcpdump to analize some traffic in my network, i just install it in my notebook with archlinux, but have some issues about the output format that im getting right now. This is what i have:

12:06:25.858410 IP 192.168.2.3.telnet > 192.168.2.2.33004: Flags [P.], ack 150, win 1448, options [nop,nop,TS val 1853920 ecr 1571404], length 101

As you can see i have everything (timestamps, ip address, port, flags, ack, etc), but i dont have the sequence numbers for every segment with data, i know that it has the lenght of data in the segment and thats ok, but i need the sequence number to match against the ack's. i have already checked the information in the man doc but it doesnt have anything about how show the sequence numbers.

thank you all for your replays.

Offline

#2 2009-11-01 14:06:26

pie86
Member
Registered: 2009-09-06
Posts: 78

Re: tcpdump output format issue

Probably I completely misunderstood your question, however, are you looking for something like this?

15:04:19.665168 IP 192.168.1.101.35541 > 209.85.137.125.5222: Flags [.], ack 693300005, win 996, options [nop,nop,TS val 228610 ecr 2658892855], length 0
15:04:19.925507 IP 209.85.137.125.5222 > 192.168.1.101.35541: Flags [P.], seq 693299616:693300005, ack 255793699, win 683, options [nop,nop,TS val 2658893114 ecr 166172], length 389
15:04:19.925552 IP 192.168.1.101.35541 > 209.85.137.125.5222: Flags [.], ack 693300005, win 1002, options [nop,nop,TS val 228675 ecr 2658893114,nop,nop,sack 1 {693299616:693300005}], length 0
15:04:22.530926 IP 192.168.1.101.41429 > 67.202.94.93.80: Flags [S], seq 3973180484, win 5840, options [mss 1460,sackOK,TS val 229326 ecr 0,nop,wscale 6], length 0
15:04:22.695586 IP 67.202.94.93.80 > 192.168.1.101.41429: Flags [S.], seq 4156258667, ack 3973180485, win 5792, options [mss 1452,sackOK,TS val 404262893 ecr 229326,nop,wscale 1], length 0
15:04:22.695641 IP 192.168.1.101.41429 > 67.202.94.93.80: Flags [.], ack 4156258668, win 92, options [nop,nop,TS val 229368 ecr 404262893], length 0
15:04:22.695763 IP 192.168.1.101.41429 > 67.202.94.93.80: Flags [P.], seq 3973180485:3973181288, ack 4156258668, win 92, options [nop,nop,TS val 229368 ecr 404262893], length 803
15:04:22.899353 IP 67.202.94.93.80 > 192.168.1.101.41429: Flags [.], seq 4156258668:4156260108, ack 3973181288, win 3699, options [nop,nop,TS val 404262943 ecr 229368], length 1440
15:04:22.899408 IP 192.168.1.101.41429 > 67.202.94.93.80: Flags [.], ack 4156260108, win 137, options [nop,nop,TS val 229419 ecr 404262943], length 0
15:04:22.925662 IP 67.202.94.93.80 > 192.168.1.101.41429: Flags [F.], seq 4156260108:4156260506, ack 3973181288, win 3699, options [nop,nop,TS val 404262943 ecr 229368], length 398
15:04:22.925970 IP 192.168.1.101.41429 > 67.202.94.93.80: Flags [F.], seq 3973181288, ack 4156260507, win 182, options [nop,nop,TS val 229425 ecr 404262943],

Offline

#3 2009-11-01 15:58:32

fernando.vs
Member
Registered: 2009-10-31
Posts: 2

Re: tcpdump output format issue

Yes,

that is what i need, how you did it?

Last edited by fernando.vs (2009-11-01 16:05:02)

Offline

#4 2009-11-01 17:14:19

pie86
Member
Registered: 2009-09-06
Posts: 78

Re: tcpdump output format issue

mm... I followed this tutorial: http://danielmiessler.com/study/tcpdump/

so tcpdump -nS, however now I'm not at home and I haven't tested this on my arch. The output above was produced by tcpdump 4.0 on ubuntu 9.10 neutral

Offline

Board footer

Powered by FluxBB